This is starting to make sense since telnet is a local process and its output should directly go into the OUTPUT chain. However, this raises another question: according to update 1, telnet messages can also be dropped in the INPUT chain, so how exactly are the packets travelling? OUTPUT -> INPUT?

Any previous rules in PREROUTING which match these packets?
–
Hauke LagingApr 26 '13 at 5:05

No, there are no other rules. Those are the only two.
–
tonytzApr 26 '13 at 5:32

1

Do you test this with new connections (TCP SYN packets)? You may check with tcpdump. Existing connections are not affected by PREROUTING.
–
Hauke LagingApr 26 '13 at 5:40

This is what I am doing: I use Firefox to visit a specific site and I monitor where the returning packets are going to (ie. dest_ip). Then I try to re-direct the returning packets using DNAT as shown above. This apparently doesn't work as Firefox still displayed the page successfully. Based on what you said, perhaps, it is because this is an existing connection since Firefox already established a connection before receiving the returning packets?
–
tonytzApr 26 '13 at 5:47

1

try iptables -t nat -L PREROUTING -v -n to see weather your rule is beeing used (check the counter) when you try. Also you could check that your traffic don't get stuck in any other rule eg OUTPUT or FORWARD. I seem to recollect having had similar trouble just because I dropped the package in another chain...
–
Petter HApr 26 '13 at 6:12

1 Answer
1

All your tests have pointed out something that you should have figured out. When dealing with Netfilter/iptables, you cannot successfully build your rules without having the packet flow in mind.

As you can see, a local process never go though the PREROUTING chain but only OUTPUT and POSTROUTING. This is why your telnet process is redirected when you place your rule in OUTPUT but not when you put it in PREROTUING. However, this rule is right for an external packet traversing your machine.

Thank you for responding. Although telnet is a local process and its packets can be manipulated in the OUTPUT chain, this still doesn't explain the initial question that an external packet coming into the machine can be dropped in the INPUT chain but cannot be re-directed in the PREROUTING chain.
–
tonytzApr 28 '13 at 17:28